[uf-rest] Introducing JAHAH (regarding JSONP)
Dr. Ernie Prabhakar
drernie at opendarwin.org
Thu Jan 5 12:05:24 PST 2006
Hi David,
On Jan 5, 2006, at 11:41 AM, David Janes -- BlogMatrix wrote:
> Justin Maxwell wrote:
>> This is an interesting approach. However, I can't even consider
>> using it. How can exploiting browser flaws to bypass necessary
>> security measures provide a permanent, dependable solution to
>> anything?
>
> You're free not to use it, of course.
Thanks. :-)
I do agree JSON has some useful ideas we should consider in the
general AHAH context, but there is also value in bringing AHAH ideas
into the JSON community, for which you deserve credit.
> My personal prediction, take that for what is worth, is that this
> "hole" will not be filled -- it is too useful. The most severe form
> of cross-domain hijacking -- being able to control, manipulate, and
> modify an IFRAME -- doesn't have techniques that translate into
> JSON/SCRIPT loading.
Interesting. I presume others have raised the security concerns with
JSON before -- do you have a URL that goes into them?
> Most web users run Javascript from all over the place now -- every
> time you visit a web page in fact, mostly. The biggest concern is
> for content providers that "can I trust a web service being
> provided over JSON". If you're doing e-commerce, probably not. If
> you're a weblog or static web page displaying data, probably.
> I will state this: if JSON is not for you (i.e. some generic person
> out there), JAHAH isn't either.
Hmm. Let me see if I follow this logic:
* JavaScript implementations will only be inside browser (and thus
via XMLHttpRequest), which limits them to a) the browser b) the same
domain, greatly limiting chance for mischance.
* Non-browser web service implementations will generally use other
languages to explicitly parse JSON, and thus not be exposed to the
security risk.
Is that more-or-less what you're getting at?
> As I said, JSON is out there now and coming into widespread
> deployment,
To be sure, I've heard a lot about it, but not looked at it before.
I dare say plists and YAML both still have larger user communities,
though probably not among JavaScript developers. The big question is
whether any of these gains sufficient 'critical mass' to become a
dominant standard.
Certainly, it is noteworthy that a lot of different people are
rebelling against XML as the default encoding, so there is some
"there" there to be exploited.
> it's not something that me and a couple of guys down at the pub
> invented last weekend :-).
For the record, XOXO-as-YAML was actually invented last *month*, and
at an Indian restaurant, not a pub, so there. ;-)
-- Ernie P.
>
>
> _______________________________________________
> microformats-rest mailing list
> microformats-rest at microformats.org
> http://microformats.org/mailman/listinfo/microformats-rest
More information about the microformats-rest
mailing list